[gptalk] Re: disable Integrated Windows Authentication in IE6 w/ GP

  • From: "Randy Benson" <randybenson@xxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 21 May 2007 17:57:36 -0700

o.k. I'll try removing the other permissions and see if it runs.
Thanks again...


  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Monday, May 21, 2007 5:37 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: disable Integrated Windows Authentication in IE6 w/ GP



Well, if you're running the task as System then only the computer account
needs access to the mapped drive.

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Randy Benson
Sent: Monday, May 21, 2007 5:35 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: disable Integrated Windows Authentication in IE6 w/ GP

 

Thanks Darren:

 

No the backup is local -- a batch file zips the backup and moves it to an
off-DC mapped drive, using wzzip.exe, the command line version of winzip.

 

I just added NETWORK and NETWORK SERVICE with full permissions to the
security tab on the mapped network drive (SYSTEM was already there) and it
seems to be working -- I reset the scheduled start time for 1 minute in the
future and it's running now.

 

Have I overdone it? Do NETWORK and/or NETWORK SERVICE need these
permissions?

 

TIA,

Randy

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Monday, May 21, 2007 5:05 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: disable Integrated Windows Authentication in IE6 w/ GP

Randy-

System is the most privileged account on Windows, so you don't need to do
anything explicit. However, if the process running in Task Scheduler needs
to access resources off the box, then that resource needs to grant the
computer's account the appropriate permissions, since System acts on behalf
of the computer's account when it accesses remote resources. 

 

And, System has no password.

 

 

darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Randy Benson
Sent: Monday, May 21, 2007 5:00 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: disable Integrated Windows Authentication in IE6 w/ GP

 

Thanks Jamie, I'll try that tonight and report back...

 

Questions: 

 

What rights does SYSTEM need (that it doesn't have by default) to run
NTBACKUP?

 

The SYSTEM account is a GROUP for permission purposes, right? Do I leave the
password blank when I change the account to SYSTEM?

 

Thanks again,

Randy

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF
Sent: Monday, May 21, 2007 12:38 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: disable Integrated Windows Authentication in IE6 w/ GP

Have you tried running the task with the SYSTEM account and then giving the
computer rights to wherever it needs to copy the file to? That is easier
anyway because you don't have to go around updating every scheduled task
each time you change your password.

 

//signed//
Jamie R Nelson
Systems Engineer
Ingenium Corporation

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Randy Benson
Sent: Monday, May 21, 2007 2:33 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] disable Integrated Windows Authentication in IE6 w/ GP

 

On a W2k3 domain controller I have a scheduled task that invokes a batch
file to zip an existing .bkf file and move it to off-server storage.

 

The task is set to run under my domain admin credentials, but fails to start
with no errors in the event log and "Could not start" in the Scheduled
Task's status line.

 

While googling on "integrated windows authentication" + scheduled, I hit on
a thread in microsoft.public.windows.server.security titled "Scheduled Tasks
- Strange Permissions Issue" that seems to have cured the problem by
disabling IWA in Internet Explorer(!) Options ->Advanced -> Enable IWA on
the DC.

 

However, I'm worried that this is not a good solution as Roger Abell pointed
out - that is, "the issue is still sitting there waiting to foul up an NTLM
based Windows integrated (re)login attempt"; 

 

My question is:

 

Is there something I can tweak in my DC GP to allow scheduled tasks to run
with IWA enabled?

 

TIA,

Randy Benson

W. R. BENSON & ASSOCIATES

Los Angeles, CA USA

 

 

Other related posts: